Post navigation

Need a better understanding of how damaging ransomware attacks can be? There’s no better case study than what’s happened to MongoDB.

Last week, it came to light that unsecured MongoDB databases were being hit by an attacker demanding a 0.2BTC ransom ($220) to return the data he was holding hostage.

The attacker, who goes by the online handle Harak1r1, has been hitting servers across the globe, said penetration tester Victor Gevers, who noticed the attacks when he reported exposed installations to their owners.

Gevers, from Netherlands-based GDI Foundation, has been tracking the activity along with Niall Merrigan, a Norway-based developer. They’ve warned that it’s old MongoDB instances deployed via cloud hosting services, mostly on the AWS platform with a default configuration, that are being attacked.

Dark Reading contributing writer Ericka Chickowski noted in her report that these attacks show how the bad guys are diversifying their ransomware tactics. She wrote:

The present attacks against MongoDB seek out installations made accessible to the Internet without a set administrator password. The bad guys take over these accounts, upload the data on the databases, delete that data, and replace it with a ransom demand. Unlike ransomware attacks, these ones require no advanced malware or even any kind of phishing lure – they simply take advantage of poorly implemented systems.

The downward spiral

Tuesday, the news kept getting worse for MongoDB users. Merrigan noted a massive surge in attacks on Monday, with the number of compromised servers doubling in a single day. Citing Merrigan’s data, Information Security Media Group (ISMG) managing editor Jeremy Kirk wrote:

Early on Jan. 9, about 12,000 MongoDB servers had been compromised … Later that day, the figure surged to 28,000. The total amount of data held hostage could be as high as 93 terabytes. Affected organizations are shown a warning asking them to pay a ransom in bitcoin, the virtual currency. The attackers typically delete the database and leave a ransom note in its place. Recently seen ransoms have demanded quantities of bitcoins ranging in value from $200 to $1,000.

Kirk noted that according to a spreadsheet Gevers and Merrigan compiled, 20 victims have paid ransoms so far but haven’t gotten their data back.

The amount of potential victims in an attack like this is substantial. MongoDB has gotten extremely popular in recent years because they use a schema that’s a lot more flexible than others. The ranking system of DB-engines.com has it pegged as the fourth-most popular database management system (DBMS) and the most popular NoSQL DBMS.

“MongoDB is the fastest-growing database ecosystem, with over 20 million downloads, thousands of customers, and over 1,000 technology and service partners,” DB-engines.com says on its website.

Security experts say it’s hard to tell at this point how many entities have data that’s being held hostage by Harak1r1As. Victims who have their data backed up can tell the kidnapper to take a hike. There’s limited comfort in that, though. It’s unsettling and damaging whenever a company’s data is compromised.

At least with MySQL, PostgreSQL and much of the relational database software the defaults are fairly secure: listen on the local interface only and provide some form of authorization by default. This isn’t the case with some of the newer NoSQL products that started entering mainstream fairly recently.

The problem for MongoDB users seems to be that on some systems the default configuration has the database listening on a publicly accessible port as soon as it’s installed. Users are supposed to read the manual and set up access control and authentication after installing the software but it seems that plenty of them don’t.

The result is an internet-connected database with no access control or authentication.

The need for awareness

The MongoDB story highlights the need for increased awareness. The lack of understanding when it comes to ransomware was made plain during a recent survey Sophos conducted. The survey asked 1,250 consumers in five countries about their biggest safety fears, where they sought advice for keeping their computers safe and how much they know about ransomware and other malware.

More than 30% admitted their defenses against phishing and ransomware are poor, and that they lack sufficient understanding of how they are targeted and what they can do about it. It’s not that people are completely clueless about the dangers they face. They simply acknowledged that they’re not as educated and experienced as they’d like to be.

More than half of those polled said they give IT advice to family and friends. But 14% of them admitted that they’re unsure about whether they’ve properly backed up the data on someone else’s computer or if they have the ability to recover that data if the computer is ever hacked. Meanwhile, 11% admitted they’re unsure if the computers they look after are truly protected from hackers and viruses.

My personal beef with them is that they scanned our firewall multiple times nearly every day for over a year straight. I had read that it is the main source that is used to collect IPs of webcams on multiple sites. If they vetted people before using there services I wouldn’t have a negative thing to say about them. Maybe if they had a form to ask to be removed from their scans, but they don’t. Calling them was also useless, and they denied flat out that they repeat scan like that themselves and that they have no restrictions on who and how its used. They offered that we could file a formal complaint but we would be required to supply logs to them and made it sound futile. In short, they pissed me off and I see them as very irresponsible with what they offer.